5 Questions Execs Are Asking About CCPA
April 29, 2020
July 1 is the date set for enforcement of the California Consumer Privacy Act (CCPA). With this enforcement comes the threat of hefty fines if your company is not in CCPA compliance. Even with enforcement looming, a lot of companies still aren’t sure if they are really prepared. Our data governance team has fielded a lot of questions from executives, legal teams and information security experts. We’re sharing the top five questions we regularly hear, along with our answers, to help you see where you stand.
1) Does CCPA apply to me?
We encounter a number of execs who ask us what’s in the law, or summarily think CCPA doesn’t apply to their company. We’re not lawyers – and we don’t claim to give legal advice. But, based on our experiences, we do discuss guidelines and criteria that cover whether you’re bound by CCPA or other data privacy laws. So, that said, here are some basic rules to know:
- You’re subject to the CCPA if you do business in California and one or more of the following
aretrue for your company:
- Has gross annual revenues in excess of $25 million
- Buys, receives or sells the personal information of 50,000 or more consumers, households or devices
- Derives 50 percent or more of annual revenues from selling consumers’ personal information
- “Doing business in California” is given a broad definition – basically, if you have any customers residing in California, you need to pay attention to CCPA.
- You must be able to comply with California’s new data rights, including:
- The right to know what personal information is collected, used, shared or sold
- The right to delete personal information held by businesses
- The right to opt-out of the
saleof personal information
- The right to non-discrimination in exercising these rights
2) What’s my risk under CCPA?
You can be fined $2,500 per compliance violation, which goes up to $7,500 if the violation is considered intentional. This could add up quickly depending on your customer base. Perhaps more eye-opening is the new right of Californians to sue you if their personal information is compromised through a data breach, if considered due to company negligence. These are class action lawsuits waiting to happen.
In the larger data privacy picture, risk comes in various forms – not just fines or lawsuits under mandates like CCPA, but also things like the public relations nightmare and related damage to the company brand if there’s a data breach. Companies want to be known as good stewards of their customers’ data. So, risk begins with your data itself: what data do you store – such as personally identifiable information, or PII – that exposes you to risk, where is the data, who has access to the data, and what is the data being used for?
Risk scenarios pop up in unexpected places. For example, we found that a meter reader for a major utility had access to a system and could see all customers’ data – across the whole company. This was much more information than was necessary for the reader to do his job. In another situation, a company decided to move from on-premise systems to the cloud. However, there was data on an on-premise system that wasn’t supposed to be moved without prior third-party authorization. In the big picture, your risk is dependent on knowing all you can about your data.
“Unfortunately, legal departments don’t always have a clear understanding of the work that’s needed. Then when we get into it, they realize the exposure and scope are much broader.
– Varun Maddula, Prolifics Technical Architect, Information Management
3) What if we do nothing?
Amazingly, we get this question all the time. It’s hard to simply ignore a major piece of legislation, but some companies are willing to try. The most basic answer is that if you do nothing, you’ll never know your level of exposure – until it’s too late. It would be a difficult conversation with the rest of the C-suite or board if your only response to large fines is “we decided to do nothing.” Willfully doing nothing could be seen as negligence – putting your exposure into the higher fine and lawsuit categories.
We understand the reasoning of some companies: “We’ve only received one or two requests under CCPA so far. What’s the big deal? We’ll pay the fine when they get to us.” It could be easy to get lulled into thinking that the general public isn’t aware of these rules, that it’s just more noise among legislators and consultants. But the larger data privacy movement has deep community roots, and consumers are becoming more involved in this issue and more concerned about their personal data.
On top of that, there are activist groups out there that are making it their mission to inform people on the new rules – including “ambulance chasers” who would like nothing more than to nail a company with a lawsuit. Those one or two requests could easily turn into hundreds – or thousands – in a few months.
“If you do nothing – you’re just waiting to have someone come find you doing 200 mph on the interstate.”
– Brian Kordelski, Prolifics Global Sales Leader, Data & Analytics
4) Can we do CCPA manually?
This is usually the next question, and just a step up from, “What if we do nothing?” It is unlikely that, without some form of automation, you’ll ever know your level of exposure or whether you’re headed toward compliance. It’s improbable that you’d find all the data to comply with requests under CCPA or other data privacy laws (let alone find potential data breaches) through manual effort. What estimate of man hours do you think you’d need, and are you prepared to staff up accordingly?
Data seeps and morphs through an organization’s data bases, email systems, servers, shared drives and more – parsed and scattered for different uses by different people. It can be structured, unstructured or semi-structured. Data dynamics and relationships form that may be intentional or unintentional, and that you may not even know exist, regardless of the man hours dedicated to it.
Doing it manually may show good intentions toward compliance and may get you out of negligence territory. But, without automation – and some machine learning thrown in for good measure – it’s almost the same as doing nothing. If you feel you don’t have the budget or know-how for data privacy automation now, realize that you can take baby steps. You don’t have to undertake a full, massive solution all at once – there are variabilities to solutions, from simple to sophisticated.
“On multiple occasions we’ve found executive and board of director compensation and personal information copied in databases throughout pockets in organizations – available for viewing by people who had not business seeing it.”
– Ron Davis, Prolifics Practice Director, Data Governance
5) How do CCPA and GDPR compare?
When discussing the CCPA/GDPR comparison, we usually hear two statements: “I didn’t have to worry about GDPR, so I don’t need to worry about CCPA,” or “I think I’m good on GDPR compliance so I must be okay for CCPA.” The two legislations are similar in many ways: protecting personal information, reporting data breaches, and looking for company transparency. Yet, there are enough differences that you need to look at CCPA on its own.
But, as noted earlier, laws like GDPR and CCPA are part of a larger data privacy movement, with more and more governments coming out with their own laws. In the states, laws in Hawaii, Massachusetts, New York and Maryland are pending. Our point is that, overall, companies should not wait and wonder when each individual state or government mandate is going to roll out and what the various comparisons will be. Data privacy is linked to, and part of, the larger issues of data governance, data management and data security. You should look for bigger picture answers that ultimately address them together, as one. Any new government mandate will fall somewhere under that umbrella, and you will be 99.9 percent ready for whatever comes next – with solutions in place that are applicable and repeatable.
“Companies collect much more data from their customers than is really required for a particular business process. We can generalize that all the problems start there. Once businesses collect more information than necessary, it is there in your data systems, existing for no reason. It’s a foundation of data privacy laws that you should only collect the minimum necessary data.”
– Varun Maddula, Prolifics Technical Architect, Information Management
How can we help?
First, know that if you need someone to talk with about your CCPA preparedness, we’re here for you. And if you want to dive further into what your company needs to do, we can do that too. We think of it as a compliance health check. We’ll start with a discussion and our basic assessment offering. We’ll do an inventory and assessment of the data you have, not in painful detail, but in a way for you to understand your general risk and give you an idea of your exposure. This can help you decide what level of risk you’re willing to accept and give you options for next steps.
We have the products and solutions to help your company work towards compliance with any data privacy laws. And while we offer a step-by-step approach for an end-to-end solution, we can help you at any point in your compliance journey.